A federal judge in California has largely rejected a motion by Verizon to dismiss a class-action lawsuit brought by victims of three Yahoo data breaches. The breaches appear to have compromised every Yahoo user's personal details at least once.

In the defendant's favor, however, Judge Lucy Koh in her Friday ruling also denied several claims by the plaintiffs that Verizon had challenged, including deceit by concealment, negligence and breach of contract.

Verizon closed its acquisition of Yahoo last June for $4.48 billion. Under the terms of the deal, Yahoo agreed to shoulder half of the costs related to government investigations and third-party litigation over its breaches. Yahoo also bears full liability for any shareholder lawsuits and faces a probe by the U.S. Securities and Exchange Commission.

The search giant reportedly did not carry cyber insurance.

Plaintiffs Allege Poor Security Practices

The class-action lawsuit contends that Yahoo failed to adequately protect user accounts and to disclose its inadequate information security practices. Plaintiffs have also accused the company of waiting too long to disclose the breaches to users, which prevented them from taking remedial action to prevent their personal information from being abused.

Some plaintiffs have also alleged that they suffered losses by having their personal information get exposed, resulting in fraudulent charges appearing on their credit cards and subjecting them to an increase in spam.

Koh's March 8 ruling on Verizon's motion to dismiss.

The class-action lawsuit was first filed on Dec. 7, 2016. In September of that year, Yahoo made its first breach disclosure, saying 500 million accounts were stolen in late 2014. In December 2016, it upped the estimated victims to 1 billion and said that attackers had also forged cookies, allowing them to access the accounts.

In August 2017, Koh rejected a motion by Verizon to dismiss the class-action complaint. Then Yahoo made yet another breach disclosure in October 2017, saying that nearly every one of its 3 billion users' details were exposed in the 2013 breach (see Yahoo: 3 Billion Accounts Breached in 2013).

After that disclosure, Koh granted the plaintiffs time to amend their complaint. That was followed by Verizon in February filing another motion to dismiss the case, which Koh addressed in her Friday ruling.

Among many contentions, Verizon sought to dismiss one plaintiff claim, which seeks punitive damages, on the grounds that the complaint does not allege that a specific officer or director committed "oppressive, fraudulent or malicious acts."

But the judge rejected the contention, writing that "plaintiffs satisfy that standard by focusing on particular conduct by the CISO."

In addition, "these circumstances make plausible plaintiffs' claim that high-ranking executives and managers at Yahoo, including its CISO, committed oppressive, fraudulent, or malicious conduct," Koh writes.

Verizon officials could not be immediately reached for comment on Koh's ruling.

In March 2017, the U.S. Department of Justice indicted two Russian FSB agents and two other freelance hackers for attacks against Google and Yahoo. One of the men, Karim Baratov, was extradited to the U.S. and pleaded guilty to hacking Gmail and Yandex accounts. Baratov, however, was not accused of any involvement in the Yahoo breaches.

The indictment alleges that one of the four men, Alexsey Belan, mined Yahoo email accounts for credit card and gift card numbers. Belan, who is now believed to be living in Russia, has also been accused of minting forged cookies that gave him access to 30 million Yahoo email accounts. Those accounts were then allegedly targeted with spam (see Russian Spies, Two Others, Indicted in Yahoo Hack).

Yahoo said in December 2016 that attackers reverse-engineered the company's cookies, the small data files that allow persistent access to account without re-entering a password. That allowed the attackers access to account without needing to know the passwords.

Yahoo's first breach disclosure surfaced while the company was in acquisition negotiations with Verizon. The worries over future breach-related costs impacted the price. While Verizon originally offered $4.83 billion for Yahoo, which is now part of its Oath subsidiary, the final price was $350 million lower, owing to a discount Verizon negotiated after Yahoo's massive breaches began to come to light.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.